can you explain what the options you specify do?
– HawkenNov 17 '12 at 14:18

10

or --target instead of -b. -D is "disassemble the contents of all sections"; -b bfdname or --target=bfdname will force reading as specified object-code format (not elf but raw binary in our case); -m machine will specify the architecture to use (in our file there is no header with arch info). -M options are options of disassembler; addr16,data16 are used to "specify the default address size and operand size" (treat code as i8086 one in the universal x86 disasm engine)
– osgxNov 28 '12 at 16:41

You can also set different options for the architecture and the syntax. For example, -m i386 or -Mintel,x86-64. i8086 is an old architecture and using it for modern code may yield unexpected results. Furthermore, specifying x86-64 to -M might be a good idea nowadays since many machines are 64-bit. Passing intel to -M changes the syntax to Intel-style instead of the default AT&T style, which you may or may not want.
– GDP2Mar 5 '18 at 3:04

-o = Specifies the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target addresses of PC-relative jumps and calls, right.

-a = Enables automatic (or intelligent) sync mode, in which ndisasm will attempt to guess where synchronisation should be performed, by means of examining the target addresses of the relative jumps and calls it disassembles.

-s = Manually specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the address. Hence the instruction which starts at that address will be correctly disassembled.

what does this do as opposed to simple ndisasm? Can you explain the options
– HawkenNov 17 '12 at 14:16

4

Could you explain what those options mean and do? Understanding an answering is better than just getting one.
– ArtBNov 17 '12 at 17:33

-b specifies 16-, 32- or 64-bit mode. The default is 16-bit mode.-o is the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target addresses of PC-relative jumps and calls, right.-s specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the address. Hence the instruction which starts at that address will be correctly disassembled.
– Janus TroelsenMay 6 '13 at 18:49

For 32-bit or 64-bit code, omit the ,8086; the ELF header already includes this information.

ndisasm, as suggested by jameslin, is also a good choice, but objdump usually comes with the OS and can deal with all architectures supported by GNU binutils (superset of those supported by GCC), and its output can usually be fed into GNU as (ndisasm’s can usually be fed into nasm though, of course).

Peter Cordes suggests that “Agner Fog's objconv is very nice. It puts labels on branch targets, making a lot easier to figure out what the code does. It can disassemble into NASM, YASM, MASM, or AT&T (GNU) syntax.”

Multimedia Mike already found out about --adjust-vma; the ndisasm equivalent is the -o option.

To disassemble, say, sh4 code (I used one binary from Debian to test), use this with GNU binutils (almost all other disassemblers are limited to one platform, such as x86 with ndisasm and objconv):

objdump -D -b binary -m sh -EL x

The -m is the machine, and -EL means Little Endian (for sh4eb use -EB instead), which is relevant for architectures that exist in either endianness.

Agner Fog's objconv is very nice. It puts labels on branch targets, making a lot easier to figure out what the code does. It can disassemble into NASM, YASM, MASM, or AT&T (GNU) syntax.
– Peter CordesDec 23 '15 at 4:05

It built fine right out of the box on GNU/Linux, for me. But yes, it's x86 / x86-64 only, unlike GNU binutils. However, it has a lot of nice x86-specific hints that it adds as comments, like when an operand-size prefix can cause an LCP-stall in the decoders of an Intel CPU. By all means, mention it in your answer. One of the major purposes of comments is to help the poster improve their answer, not just as something that later viewers need to read, too.
– Peter CordesDec 23 '15 at 11:11

1

@PeterCordes Yes well I have MirBSD as main OS ;)
– mirabilosDec 23 '15 at 11:35

@PeterCordes but it seems it can't disassemble raw binaries, can it? I had to create minimal ELF files just to be able to feed a bunch of instructions into it, but maybe I just missed some option?
– RuslanApr 28 '17 at 12:08

1

@Ruslan: IDK, interesting question. I usually just use objdump, or if I want branch labels, gcc -O3 -masm=intel -fverbose-asm -S -o- | less, since I'm usually trying to tweak C source into compiling to good asm.
– Peter CordesApr 28 '17 at 17:12

protected by user529758 Oct 28 '12 at 13:12

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).